CN108667855B - Network flow abnormity monitoring method and device, electronic equipment and storage medium - Google Patents
Network flow abnormity monitoring method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN108667855B CN108667855B CN201810797725.6A CN201810797725A CN108667855B CN 108667855 B CN108667855 B CN 108667855B CN 201810797725 A CN201810797725 A CN 201810797725A CN 108667855 B CN108667855 B CN 108667855B
- Authority
- CN
- China
- Prior art keywords
- data
- illegal
- resource
- target
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The application provides a network flow abnormity monitoring method and device, electronic equipment and a storage medium, and belongs to the technical field of computers. Wherein, the method comprises the following steps: acquiring a page loading request, wherein the loading request comprises a target page identifier; determining a target download data volume according to the target page identifier; recording attribute information of each actually downloaded data when a page is loaded, wherein the attribute information comprises data volume of each actually downloaded data and resource data corresponding to each actually downloaded data; judging whether the total data amount of each actually downloaded data is larger than the target download data amount; and if so, sending a network flow abnormal message to the server, wherein the abnormal message comprises resource data corresponding to the illegal data. Therefore, by the network flow abnormity monitoring method, the illegal data are determined by the client side, the network flow abnormity is monitored, the calculation cost is saved, the timeliness is improved, the information and property safety of the user is ensured, and the user experience is improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for monitoring network traffic anomaly, an electronic device, and a storage medium.
Background
Since the 21 st century, the technology development is changing day by day, and the internet has been in the aspect of people's daily life. The use of the internet for work, learning, entertainment, etc. has been a constant state of the information society. The expansion of the application range of the internet brings great convenience to production and life of people, and meanwhile, various defects are gradually exposed. In order to earn interest, lawless persons can steal user information through the internet. For example, illegal sites inject illegal data capable of obtaining data in the background into a currently transmitted page of a user, steal private data of the user or maliciously steal user traffic and the like, and thus information security and property security of the user are seriously damaged.
Therefore, illegal data in the network are efficiently and reliably filtered, the information and property safety of the user is guaranteed, and the method has very important practical significance. In the existing network flow abnormity monitoring technology, a server is mainly used for monitoring and filtering illegal data in a network. For example, before sending data requested to be acquired by the client to the client, the server may preload the data to determine whether illegal data is injected into the data. The frequent preloading process not only needs a large amount of cloud storage, but also has huge calculation overhead, and thus the calculation burden of the server is increased. In addition, the illegal data is likely to be injected in the process that the server sends the data to the client, so that the server cannot detect the illegal data when preloading the data. Therefore, the existing method for detecting and filtering the illegal data in the network by using the server not only has huge calculation overhead, but also has poor timeliness.
Disclosure of Invention
The method, the device, the electronic equipment and the storage medium for monitoring the network traffic abnormity are used for solving the problems that in the related art, the calculation cost is huge, the timeliness is poor and the information and property safety of a user is damaged in the conventional method for detecting and filtering illegal data in a network by using a server.
An embodiment of the application provides a method for monitoring network traffic anomalies, which is applied to a client, and includes: acquiring a page loading request, wherein the loading request comprises a target page identifier; determining a target download data volume according to the target page identifier; recording attribute information of each actually downloaded data when the page is loaded, wherein the attribute information comprises data volume of each actually downloaded data and resource data corresponding to each actually downloaded data; judging whether the total data amount of each actually downloaded data is larger than the target downloaded data amount; and if so, sending a network flow abnormal message to a server, wherein the abnormal message comprises resource data corresponding to illegal data in the actually downloaded data.
The method for monitoring network traffic anomaly provided by the embodiment of the other aspect of the application is applied to a server and comprises the following steps: acquiring network flow abnormal messages sent by a client, wherein the abnormal messages comprise resource data respectively corresponding to illegal data; updating the illegal resource library by using the resource data to generate an updated illegal resource library; and respectively sending the updated illegal resource library to each client.
An embodiment of another aspect of the present application provides a network traffic anomaly monitoring apparatus, which is applied to a client, and includes: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a page loading request which comprises a target page identifier; the determining module is used for determining the target download data volume according to the target page identification; the recording module is used for recording attribute information of each actually downloaded data when the page is loaded, wherein the attribute information comprises data volume of each actually downloaded data and resource data corresponding to each actually downloaded data; the judging module is used for judging whether the total data amount of each actually downloaded data is larger than the target downloaded data amount; and if so, sending a network flow abnormal message to a server, wherein the abnormal message comprises resource data corresponding to illegal data in the actually downloaded data.
The network traffic anomaly monitoring device provided by the embodiment of the other aspect of the application is applied to a server and comprises: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring network flow abnormal messages sent by a client, and the abnormal messages comprise resource data respectively corresponding to illegal data; the updating module is used for updating the illegal resource library by utilizing the resource data to generate an updated illegal resource library; and the sending module is used for respectively sending the updated illegal resource library to each client.
In another aspect, an embodiment of the present application provides an electronic device, which includes: the network traffic anomaly monitoring method is characterized by comprising a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the network traffic anomaly monitoring method.
Another embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the method for monitoring network traffic anomaly as described above.
In an embodiment of another aspect of the present application, a computer program is provided, and when the computer program is executed by a processor, the method for monitoring network traffic anomaly according to the embodiment of the present application is implemented.
According to the network flow abnormity monitoring method, the device, the electronic equipment, the computer readable storage medium and the computer program, the page loading request is obtained through the client, the target downloading data volume is determined according to the target page identification in the loading request, the attribute information of each actually downloaded data during page loading is recorded, whether the data total amount of each actually downloaded data is larger than the target downloading data volume is further judged, if yes, the network flow abnormity information is sent to the server, so that the server updates the illegal resource library according to the resource data corresponding to the illegal data in the abnormity information, and sends the illegal resource library to the client. Therefore, the illegal data are determined according to the target download data volume and the total data volume actually downloaded, and then the illegal resource library can be updated according to the attribute information of the illegal data, so that the illegal data are determined by utilizing the client side, the network flow abnormity is monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is ensured, and the user experience is improved.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic flowchart of a method for monitoring network traffic anomaly according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another network traffic anomaly monitoring method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of another network traffic anomaly monitoring method according to an embodiment of the present application;
fig. 4 is a signaling interaction diagram of a network traffic anomaly monitoring method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network traffic anomaly monitoring device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another network traffic anomaly monitoring device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the like or similar elements throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
The embodiment of the application provides a network flow abnormity monitoring method aiming at the problems that an illegal site steals private data of a user or maliciously steals user flow and the like by injecting illegal data capable of obtaining data in a background into a page currently transmitted by the user, so that the information safety and property safety of the user are damaged, and the existing method for detecting and filtering the illegal data in a network by using a server is huge in calculation overhead and poor in timeliness.
According to the network flow abnormity monitoring method provided by the embodiment of the application, a page loading request is obtained through a client, the target download data volume is determined according to the target page identification in the loading request, the attribute information of each actually downloaded data during page loading is recorded, whether the data total amount of each actually downloaded data is larger than the target download data volume is further judged, and if yes, a network flow abnormity message is sent to a server, so that the server updates an illegal resource library and sends the illegal resource library to the client. Therefore, the illegal data are determined according to the target download data volume and the total data volume actually downloaded, and then the illegal resource library can be updated according to the attribute information of the illegal data, so that the illegal data are determined by utilizing the client side, the network flow abnormity is monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is ensured, and the user experience is improved.
The following describes in detail a network traffic anomaly monitoring method, apparatus, electronic device, storage medium, and computer program provided by the present application with reference to the accompanying drawings.
The following describes in detail a network traffic anomaly monitoring method provided in the embodiments of the present application, taking a client side and a server side as examples.
First, a client side is taken as an example to describe in detail a network traffic anomaly monitoring method provided in the embodiment of the present application.
Fig. 1 is a schematic flowchart of a network traffic anomaly monitoring method according to an embodiment of the present application, where the method is applied to a client.
As shown in fig. 1, the method for monitoring network traffic anomaly includes the following steps:
In practical use, the network traffic anomaly monitoring method provided by the embodiment of the present application can be executed by the network traffic anomaly monitoring device provided by the embodiment of the present application. The network flow abnormity monitoring device can be applied to a client, and the client can be any electronic equipment, such as a mobile phone, a computer and the like.
The page loading request may be provided to the client by the user through an input device of the client, where the input device may be a mouse, a keyboard, or the like.
It will be appreciated that the identification of the target page is included in the page load request.
The target page refers to a page which is requested to be loaded by a user through a client. The identification of the target page refers to the identity authentication information of the target page. It will be appreciated that each page has a uniquely determined page identity. For example, the name or IP address corresponding to the page may be used.
In actual use, the client can analyze the address of the server corresponding to the target page according to the identifier of the target page, and can send a page loading request to the server through the network.
And step 102, determining the target download data volume according to the target page identification.
The target download data size refers to the number of bytes of data to be downloaded when the target page is loaded.
It should be noted that the client may obtain the target download data amount locally according to the identifier of the target page, or may send the page loading request to the server, and the server returns the target download data amount to the client according to the identifier of the target page.
For example, when a client loads a certain page for the first time, a set of mapping can be formed by the obtained page identifier of the page and the download data volume of the page returned by the server, and the mapping is cached locally. If the client does not request to load the target page for the first time, determining the target download data volume according to the mapping between the page identifier cached in the local and the download data volume when the target page is loaded for the first time; if the client loads the target page for the first time, the page loading request can be sent to the server, the target download data volume of the target page is obtained from the server, and meanwhile mapping between the target page identification and the target download data volume is cached locally.
Further, in a possible implementation form of the embodiment of the present application, the target page may generally contain a plurality of data to be downloaded. For example, the Baidu search page contains data such as "Baidu icon", "search box", "advertisement recommendation", and the like. Namely, after the step 101, the method may further include:
and determining the identifier of each target data according to the identifier of the target page.
The target data refers to data to be downloaded when the target page is loaded. The client can determine the target data in the target page and the identifier of the target page according to the identifier of the target page. The identification of the target data can uniquely determine the target data, and the data volume of the target data can be determined according to the identification of the target data.
And 103, recording attribute information of each actually downloaded data when the page is loaded, wherein the attribute information comprises the data volume of each actually downloaded data and the corresponding resource data.
The resource data refers to elements that can characterize the characteristics of the data, and may include scripts, source codes, layout files, and the like of the data.
It can be understood that, when the total amount of data of each actually downloaded data is greater than the target download data amount, it may be determined that the target page includes illegal data causing network traffic abnormality, that is, a network traffic abnormality message may be sent to the server, so that the server analyzes and processes the illegal data.
Further, in a possible implementation form of the embodiment of the present application, illegal data causing abnormal network traffic may be hidden in each target download data of the target page, so that a data amount of each actually downloaded data is inconsistent with a target download data amount. That is, the illegal data may be determined according to the data amount of each data actually downloaded.
It can be understood that, when the illegal data is hidden in a certain target download data, the data amount of the target download data actually downloaded may be larger than the corresponding data amount determined according to the target page identifier. Therefore, in a possible implementation form of the embodiment of the present application, if the data size of the target download data actually downloaded is larger than the corresponding data size determined according to the target page identifier, the target download data may be determined as illegal data.
Further, in a possible implementation form of the embodiment of the present application, the illegal data causing the network traffic abnormality may also exist independently, so that the identifier of each data actually downloaded is inconsistent with the identifier of each target data in the target page. Namely, after the step 104, the method may further include:
judging whether the identification of each target data comprises the identification of each actually downloaded data;
and if the identification of the actually downloaded first data is not included in the identification of each target data, determining that the actually downloaded first data is illegal data.
The first data is actually downloaded data whose identification is not included in the identification of each target data.
It can be understood that, when the identifier of some data actually downloaded is not included in the identifiers of the target data in the target page, the data may be determined to be illegal data causing network traffic anomaly.
Further, in a possible implementation form of the embodiment of the present application, a data amount threshold of data in the target page may also be preset, and when the data amount of some actually downloaded data exceeds the threshold, the data may be determined to be illegal data. In actual use, the size of the data amount threshold may be determined according to actual needs, which is not limited in the embodiment of the present application. Namely, after the step 104, the method may further include:
judging whether the data volume of second data in the actually downloaded data is larger than a threshold value;
and if so, adding the resource data corresponding to the second data into a preset illegal resource library.
The second data refers to actually downloaded data with a data amount larger than a threshold. The illegal resource library refers to a database of resource data including all known illegal data.
It should be noted that, when the threshold of the data amount of the data in the target page is preset, the following principle may be followed: the data volume of each target data in the target page is smaller than the threshold value. Therefore, when the data volume of certain data actually downloaded is larger than the threshold, the client can directly determine the data as illegal data and add the illegal data into the preset illegal resource library. That is, the server does not need to send the resource data to the server, and the server is used to judge whether the data is illegal or not according to the resource data of the data.
And 105, sending a network flow abnormal message to the server, wherein the abnormal message comprises resource data corresponding to illegal data in the actually downloaded data.
Specifically, when the client determines that the target page has the illegal data, the client can determine that the target page has the abnormal network traffic condition and send the abnormal network traffic message to the server, wherein the abnormal network traffic message includes the resource data corresponding to the illegal data determined by the client. The server can analyze the resource data corresponding to the data and further judge whether the data is illegal.
It should be noted that, when the illegal data determined by the client is the second data whose data volume is greater than the threshold, the server may not send a network traffic exception message, and the data is directly added to the preset illegal resource library.
According to the network flow abnormity detection method provided by the embodiment of the application, a page loading request can be obtained through a client, the target download data volume and the identification of each target data are determined according to the target page identification in the loading request, the attribute information of each actually downloaded data is recorded during page loading, whether each actually downloaded data contains illegal data or not is judged according to the data volume, the data total amount, the identification of each data, the target download data volume and the identification of each target data, if yes, a network flow abnormity message is sent to a server, so that the server updates an illegal resource library and sends the illegal resource library to the client, and when the data volume of the illegal data is larger than a threshold value, the illegal resource library is directly updated through the client. Therefore, illegal data are determined according to the data volume, the total data volume and the identification of each actually downloaded data, the target downloaded data volume and the identification of each target data, and then the illegal resource library can be updated according to the attribute information of the illegal data, so that the illegal data are determined by utilizing the client, the network flow abnormity is monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is guaranteed, and the user experience is improved.
In a possible implementation form of the present application, an illegal resource library or an illegal resource model may be preset, that is, before each target data in a target page starts to be downloaded, whether each data to be downloaded is legal or not may be determined according to the preset illegal resource library or the preset illegal resource model. And if the data to be downloaded is illegal, downloading the data by the terminal.
The network traffic anomaly monitoring method provided in the embodiment of the present application is further described below with reference to fig. 2.
Fig. 2 is a schematic flowchart of another network traffic anomaly monitoring method according to an embodiment of the present application, where the method is applied to a client.
As shown in fig. 2, the method for monitoring network traffic anomaly includes the following steps:
It can be understood that, before the target page is loaded, each piece of data to be downloaded in the target page and resource data of each piece of data to be downloaded can be determined according to the identifier of the target page.
The detailed implementation process and principle of the steps 201-202 can refer to the detailed description of the above embodiments, and are not described herein again.
It should be noted that the preset illegal resource library includes resource data of all known illegal data. Before the target page is loaded, the data to be downloaded in the target page and the resource data of the data to be downloaded can be determined according to the identification of the target page. And comparing the resource data of each data to be downloaded with the resource data in the illegal resource library, and if the illegal resource library comprises the resource data of the data to be downloaded, determining that the data to be downloaded is illegal data, and interrupting the downloading of the data.
In a possible implementation form of the present application, since the illegal resource library only includes known illegal resource data, when the illegal resource library is used for judging the illegal data, the situation that the new illegal resource data is not identified may occur, and therefore, in order to improve the accuracy of identifying the illegal resource, the present application may further identify the resource data of each data to be downloaded by using a preset illegal resource identification model, so as to judge whether the resource data of each data to be downloaded is legal. The illegal resource identification model is an identification model obtained by training with known illegal data as training samples.
It should be noted that training can be regarded as a process of extracting common features of training samples, and a model obtained by training summarizes a general rule common to a large number of training samples. Therefore, the model obtained by training can judge the similarity between the test sample and the training sample according to whether the test sample follows the common rule shared by the training samples.
In a possible implementation form of the embodiment of the application, if it is determined that the preset illegal resource library does not include the resource data of each piece of data to be downloaded, the preset illegal resource identification model may be further used to further determine whether each piece of data to be downloaded is illegal. When the illegal resource identification model is used for identifying that the data to be downloaded has the characteristics of illegal data, the data can be determined to be illegal data, and the downloading of the data is interrupted.
And step 204, if the resource data of the third data to be downloaded is determined to be illegal, interrupting the downloading of the third data.
The third data refers to the data, of which the corresponding resource data is illegal, in each data to be downloaded in the target page.
Specifically, after the third data to be downloaded is determined to be illegal by using the preset illegal resource library or the preset illegal resource identification model, the downloading of the third data can be interrupted to avoid stealing the user traffic. Meanwhile, after the data downloading is interrupted, early warning information can be displayed on a page to prompt a user that illegal data of stolen flow possibly exists in a target page.
According to the network flow abnormity monitoring method provided by the embodiment of the application, the page loading request can be obtained through the client, each data to be downloaded is determined according to the target page identification in the loading request, then whether each data to be downloaded is illegal data or not is determined by using the preset illegal resource library or the illegal resource identification model, and the downloading of the illegal data is interrupted. Therefore, by utilizing the preset illegal resource library or illegal resource identification model and determining the illegal data according to the resource data of each data to be downloaded, the downloading of the illegal data can be interrupted, and the illegal resource library is updated according to the attribute information of the illegal data, so that the illegal data can be determined by utilizing the client, the network flow abnormity can be monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is ensured, and the user experience is improved.
The following describes in detail a network traffic anomaly monitoring method provided in the embodiments of the present application, taking a server side as an example.
The network traffic anomaly monitoring method provided in the embodiment of the present application is further described below with reference to fig. 3.
Fig. 3 is a schematic flowchart of another network traffic anomaly monitoring method according to an embodiment of the present application, where the method is applied to a server.
As shown in fig. 3, the method for monitoring network traffic anomaly includes the following steps:
It should be noted that the network traffic anomaly monitoring method provided in the embodiment of the present application may be executed by the network traffic anomaly monitoring apparatus provided in the present application. The network flow abnormity monitoring device can be applied to a server, and the server can be any electronic equipment.
The resource data corresponding to the illegal data refers to elements that can represent characteristics of the illegal data, and may include scripts, source codes, layout files, and the like of the data. The server can determine the characteristics of the illegal data by analyzing the resource data of the illegal data and update the illegal resource library.
Further, when the types of networks to which the clients belong are different, or the users corresponding to the clients are different, the types of the illegal data attacking the clients may also be different. Therefore, the corresponding relation between the illegal data and the client can be determined according to the attribute information of the client. That is, the exception message may further include the attribute of the client. The attribute of the client may be information such as a network type to which the client belongs, a user corresponding to the client, and the like.
The illegal resource library refers to a database of resource data including all known illegal data.
It can be understood that, after the server acquires the resource data corresponding to the illegal data sent by the client, the acquired resource data may be compared with the resource data in the illegal resource library, and if the illegal resource library does not include the resource data, the resource data may be newly added to the illegal resource library to generate an updated illegal resource library.
Further, when the attributes of the clients are different, the corresponding illegal data types may also be different, so that different illegal resource libraries may be respectively established according to the attributes of the clients. That is, the step 302 may further include:
performing statistical analysis on resource data corresponding to all acquired illegal data within a preset time period, and determining target resource data and client attributes corresponding to the target resource data;
and updating the illegal resource library associated with the corresponding client attribute by using the target resource data.
The target resource data refers to resource data obtained by removing repeated resource data from resource data corresponding to all illegal data obtained within a preset time period.
It should be noted that, if the server analyzes resource data corresponding to one piece of illegal data every time the server acquires the resource data, the calculation overhead and the operation load of the server may be increased. Therefore, the time interval for the server to perform statistical analysis on the acquired resource data may be preset, for example, performing statistical analysis on all the acquired resource data every 30 minutes. In actual use, the time interval may be preset according to actual needs, for example, a principle that the efficiency of updating the illegal database can be ensured and the calculation overhead of the server can be reduced may be followed, which is not limited in the embodiment of the present application.
It can be understood that, within a preset time period, resource data corresponding to a large amount of illegal data acquired by the server may have many repeated resource data, and if all the acquired resource data are analyzed, it is obviously unnecessary and the computing resources of the server are wasted. Therefore, all the acquired resource data in the preset time period can be subjected to statistical analysis, that is, repeated resource data are removed, only one piece of each type of repeated resource data is reserved, and the target resource data is determined.
It should be noted that, when the attributes of the clients are different, the corresponding illegal data types may also be different, so that the client attribute corresponding to the target resource data may also be determined. For example, the server performs statistical analysis on the acquired resource data, and finds that the target resource data a is reported by the client belonging to the mobile network, it may be considered that the illegal data corresponding to the target resource data a attacks the client belonging to the mobile network at present, that is, it may be determined that the client attribute corresponding to the target resource a is the "mobile network". As another example, the attribute of the client may also be a user corresponding to the client. The clients may be classified according to the habits of the users corresponding to the clients in browsing the web pages, for example, the attributes of the clients corresponding to the user group that prefers to browse the financing-type website may be set as "financing type". For example, the server performs statistical analysis on the acquired resource data, and finds that the target resource data B are all reported by the client having the attribute of "financing class", it may be considered that the illegal data corresponding to the target resource data B attacks the "financing class" client at present, that is, it may be determined that the client attribute corresponding to the target resource B is "financing class".
Further, after the target resource data and the client attribute corresponding to the target resource data are determined, the target resource data can be newly added into the illegal resource library associated with the client attribute corresponding to the target resource data, so that the illegal resource library is updated.
For example, in a preset time period, the server acquires 50 pieces of resource data corresponding to illegal data sent by the client of the mobile network, and the 50 pieces of resource data are the same; and simultaneously acquiring 50 pieces of resource data corresponding to illegal data sent by a client of the communication network, wherein the 50 pieces of resource data are the same, and the resource data sent by the client of the mobile network is different from the resource data sent by the client of the communication network. After the server performs statistical analysis on the 100 pieces of resource data, the determined target resource data C is the resource data corresponding to 1 piece of illegal data sent by the client of the mobile network, and the target resource data D is the resource data corresponding to 1 piece of illegal data sent by the client of the connected network. Correspondingly, the client attribute corresponding to the target resource data C is "mobile network", and the client attribute corresponding to the target resource D is "connected network". That is, the target resource data C can be newly added to the illegal resource pool of the mobile network, and the target data resource D can be newly added to the illegal resource pool of the connected network.
Furthermore, since the illegal resource library only can include known illegal resource data, when the illegal data is judged by using the illegal resource library, the situation that the new illegal resource data is not identified may occur, and therefore, in order to improve the accuracy of identifying the illegal resource, in a possible implementation form of the embodiment of the present application, the illegal resource in the illegal resource library may be used as a training sample to train and generate an illegal resource identification model. Namely, after the step 302, the method may further include:
training to generate an illegal resource identification model by taking each illegal resource in the updated illegal resource library as a training sample;
and respectively sending the illegal resource identification model to each client.
It should be noted that training can be regarded as a process of extracting common features of training samples, and a model obtained by training summarizes a general rule common to a large number of training samples. Therefore, the model obtained by training can judge the similarity between the test sample and the training sample according to whether the test sample follows the common rule shared by the training samples.
It can be understood that the illegal resource identification model provided in the embodiment of the application summarizes a common rule common to each illegal data in the illegal resource library. When the illegal resource identification model is trained, some feature data of each illegal data in the illegal resource library can be used as training samples, such as scripts, source codes and the like of the illegal data. Correspondingly, when the illegal resource identification model is used for judging whether certain data is illegal data, the same characteristic data is selected to be input into the illegal resource identification model so as to judge the similarity between the data and the illegal data, and then whether the test data is illegal data is determined.
For example, if the script and the source code of the illegal data are used as training samples when the illegal resource identification model is trained, when the illegal resource identification model is used to determine whether the data a is illegal, the script and the source code of the data a are required to be used as test samples to be input into the illegal resource identification model, and then whether the data a is illegal is determined according to the output of the illegal resource identification model.
It should be noted that, when the illegal data is identified by the illegal resource identification model, the resource data corresponding to the data may not be included in the illegal resource library, but whether the data is illegal is determined according to whether the resource data corresponding to the data has the same characteristics as the resource data in the illegal resource library.
And step 303, respectively sending the updated illegal resource libraries to each client.
Specifically, after the server updates the illegal resource library according to the resource data corresponding to the illegal data, the illegal resource library associated with the attribute of the client can be sent to the corresponding client according to the identifier of the client and the attribute of the client.
It should be noted that the identifier of the client may be an IP address of the client or the like, which may uniquely identify the client. The client side can send the own identification to the server when sending the network flow abnormal message to the server, so that the server can return the updated illegal resource library and the illegal resource identification model according to the identification of the client side.
The network flow abnormity monitoring method provided by the embodiment of the application can acquire the network flow abnormity information sent by the client, update the illegal resource base according to the resource data corresponding to the illegal data in the abnormity information, train and generate the illegal resource identification model by utilizing each illegal resource in the updated illegal resource base, and further send the updated illegal resource base and the illegal resource identification model to each client. Therefore, the illegal resource library is updated according to the resource data corresponding to the illegal data, the illegal resource identification model is generated, and then the illegal data can be determined according to the updated illegal resource library and the updated illegal resource identification model, so that the illegal data can be determined by utilizing the client side, the network flow abnormity can be monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of users are guaranteed, and the user experience is improved.
Fig. 4 is a signaling interaction diagram of a network traffic anomaly monitoring method according to an embodiment of the present application.
As shown in fig. 4, the method for monitoring network traffic anomaly includes the following steps:
in step 401, a client obtains a page loading request.
Wherein, the loading request comprises a target page identifier.
Step 402, the client determines the target download data volume according to the target page identifier.
Step 403, recording the attribute information of each data actually downloaded when the page is loaded.
The attribute information comprises the data volume of each actually downloaded data and the corresponding resource data;
in step 404, it is determined whether the total amount of data of each actually downloaded data is greater than the target download data amount.
And 405, if so, the client sends a network flow abnormal message to the server.
The abnormal message comprises resource data corresponding to illegal data in the actually downloaded data.
In step 406, the server updates the illegal repository with the resource data to generate an updated illegal repository.
Step 407, the server sends the updated illegal resource pool to each client respectively.
In the process, a page loading request is obtained through a client, a target downloading data volume is determined according to a target page identification in the loading request, attribute information of each actually downloaded data is recorded during page loading, whether the total data volume of each actually downloaded data is larger than the target downloading data volume is further judged, if yes, a network flow abnormal message is sent to a server, and the server updates an illegal resource library according to resource data corresponding to illegal data in the abnormal message and sends the updated illegal resource library to the client. Therefore, the illegal data are determined according to the target download data volume and the total data volume actually downloaded, and then the illegal resource library can be updated according to the attribute information of the illegal data, so that the illegal data are determined by utilizing the client side, the network flow abnormity is monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is ensured, and the user experience is improved.
In order to implement the above embodiments, the present application further provides a network traffic anomaly monitoring device.
Fig. 5 is a schematic structural diagram of a network traffic anomaly monitoring device according to an embodiment of the present application, which is applied to a client.
As shown in fig. 5, the network traffic anomaly monitoring device 50 includes:
the obtaining module 51 is configured to obtain a page loading request, where the page loading request includes a target page identifier.
And the determining module 52 is configured to determine the target download data amount according to the target page identifier.
The recording module 53 is configured to record attribute information of each actually downloaded data when the page is loaded, where the attribute information includes data amount of each actually downloaded data and corresponding resource data.
A judging module 54, configured to judge whether a total data amount of each actually downloaded data is greater than a target download data amount;
and if so, sending a network flow abnormal message to a server, wherein the abnormal message comprises resource data corresponding to illegal data in the actually downloaded data.
In practical use, the network traffic anomaly monitoring device provided in the embodiment of the present application may be configured in any electronic device to execute the foregoing network traffic anomaly monitoring method.
The network flow abnormity monitoring device provided by the embodiment of the application is applied to a client, can acquire a page loading request, determines a target download data volume according to a target page identification in the loading request, and records attribute information of each actually downloaded data when the page is loaded, so as to judge whether the data total amount of each actually downloaded data is larger than the target download data volume, and if so, sends a network flow abnormity message to a server, so that the server updates an illegal resource library and sends the illegal resource library to the client. Therefore, the illegal data are determined according to the target download data volume and the total data volume actually downloaded, and then the illegal resource library can be updated according to the attribute information of the illegal data, so that the illegal data are determined by utilizing the client side, the network flow abnormity is monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is ensured, and the user experience is improved.
In a possible implementation form of the present application, the network traffic anomaly monitoring apparatus is specifically configured to:
and determining the illegal data according to the data volume of each actually downloaded data.
Further, in another possible implementation form of the present application, the network traffic anomaly monitoring device is further configured to:
determining the identification of each target data according to the identification of the target page;
judging whether the identification of each target data comprises the identification of each actually downloaded data;
and if the identification of the actually downloaded first data is not included in the identification of each target data, determining that the actually downloaded first data is illegal data.
Further, in another possible implementation form of the present application, the network traffic anomaly monitoring device is further configured to:
judging whether the data volume of second data in the actually downloaded data is larger than a threshold value;
and if so, adding the resource data corresponding to the second data into a preset illegal resource library.
Further, in another possible implementation form of the present application, the network traffic anomaly monitoring apparatus is further configured to:
judging whether the resource data of each data to be downloaded is legal or not according to a preset illegal resource library;
and if the resource data of the third data to be downloaded are determined to be illegal, interrupting the downloading of the third data.
Further, in another possible implementation form of the present application, the network traffic anomaly monitoring apparatus is further configured to:
identifying the resource data of each data to be downloaded by using a preset illegal resource identification model so as to judge whether the resource data of each data to be downloaded is legal or not;
and if the resource data of the third data to be downloaded are determined to be illegal, interrupting the downloading of the third data.
It should be noted that the foregoing explanation on the embodiment of the network traffic anomaly monitoring method shown in fig. 1, fig. 2, fig. 3, or fig. 4 is also applicable to the network traffic anomaly monitoring apparatus 50 of this embodiment, and is not repeated here.
The network flow abnormity monitoring device provided by the embodiment of the application is applied to a client, can acquire a page loading request, determines the data volume of target downloading and the identification of each target data according to the target page identification in the loading request, records the attribute information of each actually downloaded data when the page is loaded, judges whether each actually downloaded data contains illegal data according to the data volume, the total data volume and the identification of each actually downloaded data, the data volume of the target downloading and the identification of each target data, and sends a network flow abnormity message to a server if the actually downloaded data contains illegal data, so that the server updates an illegal resource library and sends the illegal data library to the client, and directly updates the illegal resource library through the client when the data volume of the illegal data is greater than a threshold value. In addition, illegal data can be identified according to a preset illegal resource library and an illegal resource identification model, and downloading of the illegal data is interrupted. Therefore, illegal data are determined according to the data volume, the total data volume and the identification of each actually downloaded data, the target downloaded data volume and the identification of each target data, and then the illegal resource library can be updated according to the attribute information of the illegal data, so that the illegal data are determined by utilizing the client, the network flow abnormity is monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is guaranteed, and the user experience is improved.
In order to implement the above embodiment, the present application further provides another network traffic anomaly monitoring device.
Fig. 6 is a schematic structural diagram of another network traffic anomaly monitoring device according to an embodiment of the present application, which is applied to a server.
As shown in fig. 6, the network traffic abnormality monitoring apparatus 60 includes:
the obtaining module 61 is configured to obtain a network traffic exception message sent by a client, where the exception message includes resource data corresponding to the illegal data respectively.
And the updating module 62 is configured to update the illegal resource library by using the resource data to generate an updated illegal resource library.
And a sending module 63, configured to send the updated illegal resource pool to each client respectively.
In practical use, the network traffic anomaly monitoring device provided in the embodiment of the present application may be configured in any electronic device to execute the foregoing network traffic anomaly monitoring method.
The network flow abnormity monitoring device provided by the embodiment of the application is applied to a server, can acquire the network flow abnormity information sent by the client, updates the illegal resource library according to the resource data corresponding to the illegal data in the abnormity information, and then sends the updated illegal resource library to each client. Therefore, the illegal data base is updated according to the resource data corresponding to the illegal data, and then the illegal data can be determined according to the updated illegal data base, so that the illegal data can be determined by utilizing the client side, the network flow abnormity can be monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of the user is guaranteed, and the user experience is improved.
In a possible implementation form of the present application, the network traffic anomaly monitoring apparatus is specifically configured to:
training to generate an illegal resource identification model by taking each illegal resource in the updated illegal resource library as a training sample;
and respectively sending the illegal resource identification model to each client.
Further, in another possible implementation form of the present application, the network traffic anomaly monitoring device is further configured to:
performing statistical analysis on resource data corresponding to all acquired illegal data within a preset time period, and determining target resource data and client attributes corresponding to the target resource data;
and updating the illegal resource library associated with the corresponding client attribute by using the target resource data.
It should be noted that the foregoing explanation on the embodiment of the network traffic anomaly monitoring method shown in fig. 1, fig. 2, fig. 3, or fig. 4 is also applicable to the network traffic anomaly monitoring device 60 of this embodiment, and is not repeated here.
The network traffic anomaly monitoring device provided by the embodiment is applied to a server, can acquire a network traffic anomaly message sent by a client, updates an illegal resource library according to resource data corresponding to illegal data in the anomaly message, trains and generates an illegal resource identification model by using each illegal resource in the updated illegal resource library, and then sends the updated illegal resource library and the illegal resource identification model to each client. Therefore, the illegal resource library is updated according to the resource data corresponding to the illegal data, the illegal resource identification model is generated, and then the illegal data can be determined according to the updated illegal resource library and the updated illegal resource identification model, so that the illegal data can be determined by utilizing the client side, the network flow abnormity can be monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of users are guaranteed, and the user experience is improved.
In order to implement the foregoing embodiments, the present application further provides an electronic device applied to a server side and a client side.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
As shown in fig. 7, the electronic device 700 includes:
a memory 710 and a processor 720, a bus 730 connecting different components (including the memory 710 and the processor 720), wherein the memory 710 stores a computer program, and when the processor 720 executes the program, the method for monitoring network traffic anomaly according to the embodiment of the present application is implemented.
A program/utility 780 having a set (at least one) of program modules 770 may be stored, for example, in memory 710, such program modules 770 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 770 typically perform the functions and/or methodologies of embodiments of the invention as described herein.
The electronic device 700 may also communicate with one or more external devices 790 (e.g., keyboard, pointing device, display 791, etc.), with one or more devices that enable a user to interact with the electronic device 700, and/or with any devices (e.g., network card, modem, etc.) that enable the electronic device 700 to communicate with one or more other computing devices. Such communication may occur over input/output (I/O) interfaces 792. Also, the electronic device 700 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 793. As shown, the network adapter 793 communicates with the other modules of the electronic device 700 over a bus 730. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 700, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processor 720 executes various functional applications and data processing by executing programs stored in the memory 710.
It should be noted that, for the implementation process and the technical principle of the electronic device of this embodiment, reference is made to the foregoing explanation of the network traffic anomaly monitoring method in this embodiment, and details are not described here again.
The electronic device provided by the embodiment of the application can execute the method for monitoring network traffic abnormality, the page loading request is obtained through the client, the target download data volume is determined according to the target page identification in the loading request, the attribute information of each actually downloaded data during page loading is recorded, whether the data total volume of each actually downloaded data is larger than the target download data volume is further judged, if yes, a network traffic abnormality message is sent to the server, so that the server updates the illegal resource library according to the resource data corresponding to the illegal data in the abnormality message, and sends the updated illegal resource library to the client. Therefore, the illegal data are determined according to the target download data volume and the total data volume actually downloaded, and then the illegal resource library can be updated according to the attribute information of the illegal data, so that the illegal data are determined by utilizing the client side, the network flow abnormity is monitored, the calculation overhead is saved, the timeliness is improved, the information and property safety of a user is ensured, and the user experience is improved.
In order to implement the above embodiments, the present application also proposes a computer-readable storage medium.
The computer readable storage medium stores thereon a computer program, and the computer program is executed by a processor to implement the network traffic anomaly monitoring method according to the embodiment of the present application.
In order to implement the foregoing embodiments, a further embodiment of the present application provides a computer program, which when executed by a processor, implements the network traffic anomaly monitoring method according to the embodiments of the present application.
In an alternative implementation, the embodiments may be implemented in any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the consumer electronic device, partly on the consumer electronic device, as a stand-alone software package, partly on the consumer electronic device and partly on a remote electronic device, or entirely on the remote electronic device or server. In the case of remote electronic devices, the remote electronic devices may be connected to the consumer electronic device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external electronic device (e.g., through the internet using an internet service provider).
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (11)
1. A method for monitoring network traffic anomaly is characterized by comprising the following steps:
acquiring a page loading request, wherein the loading request comprises a target page identifier;
determining a target download data volume according to the target page identifier, wherein the target download data volume is the download data volume which is obtained from a server and cached locally and corresponds to the target page identifier when a target page is loaded for the first time;
recording attribute information of each actually downloaded data when the page is loaded, wherein the attribute information comprises data volume of each actually downloaded data and resource data corresponding to each actually downloaded data;
judging whether the total data amount of each actually downloaded data is larger than the target downloaded data amount;
if so, sending a network flow abnormal message to a server, wherein the abnormal message comprises resource data corresponding to illegal data in the actually downloaded data;
the attribute information also comprises the identification of each actually downloaded data;
after the obtaining of the page loading request, the method further includes:
determining the identification of each target data according to the identification of the target page;
judging whether the identification of each target data comprises the identification of each actually downloaded data;
and if the identification of each target data does not include the identification of the actually downloaded first data, determining that the actually downloaded first data is illegal data, wherein the identification of the first data is the actually downloaded data which is not included in the identification of each target data.
2. The method of claim 1, wherein prior to sending the network traffic exception message to the server, further comprising:
and determining the illegal data according to the data volume of each actually downloaded data.
3. The method according to any one of claims 1-2, wherein said recording attribute information of each data actually downloaded when said page is loaded further comprises:
judging whether the data volume of second data in the actually downloaded data is larger than a threshold value;
and if so, adding the resource data corresponding to the second data into a preset illegal resource library.
4. The method of claim 3, wherein after obtaining the page load request, further comprising:
judging whether the resource data of each data to be downloaded is legal or not according to a preset illegal resource library;
and if the resource data of the third data to be downloaded are determined to be illegal, interrupting the downloading of the third data.
5. The method of any of claims 1-2, wherein after obtaining the page load request, further comprising:
identifying the resource data of each data to be downloaded by using a preset illegal resource identification model so as to judge whether the resource data of each data to be downloaded is legal or not;
and if the resource data of the third data to be downloaded are determined to be illegal, interrupting the downloading of the third data.
6. A method for monitoring network traffic anomaly is characterized by comprising the following steps:
acquiring a network flow abnormal message sent by a client, wherein the abnormal message comprises resource data respectively corresponding to illegal data, the network flow abnormal message is sent when the client determines that the total data amount of each data actually downloaded when a target page is loaded is larger than a target download data amount, and the target download data amount is the download data amount corresponding to a target page identifier, which is acquired from a server and cached locally by the client when the target page is loaded for the first time;
updating the illegal resource library by using the resource data to generate an updated illegal resource library;
respectively sending the updated illegal resource library to each client;
after the generating of the updated illegal resource pool, the method further includes:
training to generate an illegal resource identification model by taking each illegal resource in the updated illegal resource library as a training sample;
and respectively sending the illegal resource identification model to each client.
7. The method of claim 6, wherein the exception message further includes attributes of the client;
before the resource data is utilized to update the illegal resource library, the method further includes:
performing statistical analysis on resource data corresponding to all acquired illegal data within a preset time period, and determining target resource data and client attributes corresponding to the target resource data;
the updating process of the illegal resource library by using the resource data comprises the following steps:
and updating the illegal resource library associated with the corresponding client attribute by using the target resource data.
8. The utility model provides a network flow anomaly monitoring device, is applied to the customer end, its characterized in that includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a page loading request which comprises a target page identifier;
the determining module is used for determining a target download data volume according to the target page identifier, wherein the target download data volume is the download data volume which is obtained from the server and cached locally and corresponds to the target page identifier when the target page is loaded for the first time;
the recording module is used for recording attribute information of each actually downloaded data when the page is loaded, wherein the attribute information comprises data volume of each actually downloaded data and resource data corresponding to each actually downloaded data;
the judging module is used for judging whether the total data amount of each actually downloaded data is larger than the target downloaded data amount;
if so, sending a network flow abnormal message to a server, wherein the abnormal message comprises resource data corresponding to illegal data in the actually downloaded data;
the attribute information also comprises the identification of each actually downloaded data;
after the obtaining of the page loading request, the method further includes:
determining the identification of each target data according to the identification of the target page;
judging whether the identification of each target data comprises the identification of each actually downloaded data;
and if the identification of each target data does not include the identification of the actually downloaded first data, determining that the actually downloaded first data is illegal data, wherein the identification of the first data is the actually downloaded data which is not included in the identification of each target data.
9. The utility model provides a network flow anomaly monitoring device, is applied to the server, its characterized in that includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring network flow abnormal messages sent by a client, the abnormal messages comprise resource data corresponding to illegal data respectively, the network flow abnormal messages are sent when the client determines that the total data amount of all data actually downloaded when a target page is loaded is larger than a target download data amount, and the target download data amount is the download data amount corresponding to a target page identifier, which is acquired from a server and cached locally by the client when the target page is loaded for the first time;
the updating module is used for updating the illegal resource library by utilizing the resource data to generate an updated illegal resource library;
the sending module is used for respectively sending the updated illegal resource library to each client;
after the generating of the updated illegal resource pool, the method further includes:
training to generate an illegal resource identification model by taking each illegal resource in the updated illegal resource library as a training sample;
and respectively sending the illegal resource identification model to each client.
10. An electronic device, comprising: a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor implements the method for monitoring network traffic anomalies according to any one of claims 1-5 or 6-7 when executing the program.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the network traffic anomaly monitoring method according to any one of claims 1-5 or 6-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810797725.6A CN108667855B (en) | 2018-07-19 | 2018-07-19 | Network flow abnormity monitoring method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810797725.6A CN108667855B (en) | 2018-07-19 | 2018-07-19 | Network flow abnormity monitoring method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108667855A CN108667855A (en) | 2018-10-16 |
| CN108667855B true CN108667855B (en) | 2021-12-03 |
Family
ID=63788629
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810797725.6A Active CN108667855B (en) | 2018-07-19 | 2018-07-19 | Network flow abnormity monitoring method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108667855B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495343B (en) * | 2018-11-20 | 2021-04-02 | 网宿科技股份有限公司 | Abnormal flow data processing method and device and server |
| CN109739711B (en) * | 2019-01-04 | 2023-02-28 | 广州虎牙信息科技有限公司 | Interface test method, device, equipment and storage medium |
| CN110008243B (en) * | 2019-03-22 | 2021-05-07 | 新华三大数据技术有限公司 | Data table processing method and device |
| CN110445711A (en) * | 2019-09-16 | 2019-11-12 | 陈兖清 | A kind of data traffic monitoring system based on big data |
| CN113452656B (en) * | 2020-03-26 | 2022-10-11 | 百度在线网络技术(北京)有限公司 | Method, apparatus, electronic device and computer readable medium for identifying abnormal behavior |
| CN113538022A (en) * | 2020-04-10 | 2021-10-22 | 北京沃东天骏信息技术有限公司 | Flow monitoring method, device, equipment and storage medium |
| CN111556080A (en) * | 2020-05-18 | 2020-08-18 | 网易(杭州)网络有限公司 | Network node monitoring method, device, medium and electronic equipment |
| CN112001758B (en) * | 2020-08-26 | 2024-01-30 | 豆盟(北京)科技股份有限公司 | Advertisement interaction page state abnormality monitoring method and device |
| CN113098875B (en) * | 2021-04-02 | 2023-01-10 | 北京兰云科技有限公司 | Network monitoring method and device |
| CN114553486B (en) * | 2022-01-20 | 2023-07-21 | 北京百度网讯科技有限公司 | Illegal data processing method and device, electronic equipment and storage medium |
| CN114564369B (en) * | 2022-04-28 | 2022-08-02 | 云账户技术(天津)有限公司 | Application program abnormity monitoring method and device, electronic equipment and storage medium |
| CN115203292B (en) * | 2022-09-15 | 2022-11-25 | 昆仑智汇数据科技(北京)有限公司 | Data processing method, device and equipment for industrial equipment |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8549612B2 (en) * | 2011-11-28 | 2013-10-01 | Dell Products, Lp | System and method for incorporating quality-of-service and reputation in an intrusion detection and prevention system |
| CN103001947B (en) * | 2012-11-09 | 2015-09-30 | 北京奇虎科技有限公司 | A kind of program processing method and system |
| CN106982196B (en) * | 2016-01-19 | 2020-07-31 | 阿里巴巴集团控股有限公司 | Abnormal access detection method and equipment |
| CN106060046A (en) * | 2016-05-30 | 2016-10-26 | 努比亚技术有限公司 | Device for preventing downloading hijack, mobile terminal and method |
| CN107633172B (en) * | 2016-07-18 | 2021-12-14 | 北京搜狗科技发展有限公司 | Malicious webpage monitoring method and electronic equipment |
| CN106354750A (en) * | 2016-08-15 | 2017-01-25 | 百度在线网络技术(北京)有限公司 | Method and device for achieving searching |
| CN107979561B (en) * | 2016-10-21 | 2020-07-03 | 中国电信股份有限公司 | Method, device and system for controlling malicious traffic |
| CN106713358A (en) * | 2017-02-04 | 2017-05-24 | 国家电网公司信息通信分公司 | Attack detection method and device |
-
2018
- 2018-07-19 CN CN201810797725.6A patent/CN108667855B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108667855A (en) | 2018-10-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108667855B (en) | Network flow abnormity monitoring method and device, electronic equipment and storage medium | |
| CN111522922B (en) | Log information query method and device, storage medium and computer equipment | |
| US9614862B2 (en) | System and method for webpage analysis | |
| CN112491602B (en) | Behavior data monitoring method and device, computer equipment and medium | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN109862003B (en) | Method, device, system and storage medium for generating local threat intelligence library | |
| US9531734B2 (en) | Method and apparatus for intercepting or cleaning-up plugins | |
| US8621613B1 (en) | Detecting malware in content items | |
| CN109543891B (en) | Method and apparatus for establishing capacity prediction model, and computer-readable storage medium | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| US10831892B2 (en) | Web browser script monitoring | |
| CN110324416B (en) | Download path tracking method, device, server, terminal and medium | |
| CN104992117A (en) | Abnormal behavior detection method and behavior model establishment method of HTML5 mobile application program | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| US20120054724A1 (en) | Incremental static analysis | |
| CN112612977A (en) | Page display method, system, device, equipment and storage medium | |
| CN114398673A (en) | Application compliance detection method and device, storage medium and electronic equipment | |
| CN106529281A (en) | Executable file processing method and device | |
| US9348977B1 (en) | Detecting malware in content items | |
| CN110674426B (en) | Webpage behavior reporting method and device | |
| CN110276183B (en) | Reverse Turing verification method and device, storage medium and electronic equipment | |
| CN114301713A (en) | Risk access detection model training method, risk access detection method and risk access detection device | |
| CN115600201A (en) | User account information safety processing method for power grid system software | |
| CN114697304B (en) | Gray release method, system, device, equipment and storage medium | |
| CN110955890A (en) | Method and device for detecting malicious batch access behaviors and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |